iPhone, iPad become apple of cyber criminals' eye

Sheer iOS traffic is making Apple the lowest hanging fruit, Zscaler's State of the Web Report finds

Apple devices -- ever more popular in the workplace -- are about to become more popular with cyber criminals.

That is one of a number of findings in security vendor Zscaler's Q1 State of the Web Report that should be unsettling to enterprises that permit employees to "bring your own device," or BYOD.

The biggest mobile targets of malware so far have been devices powered by Android, since it is in the widest use and is an open platform.

But that may change soon. Zscaler's report said in a survey covering 200 billion transactions, Apple iOS web traffic jumped from 40% in the last quarter of 2011 to 48% in the first quarter of 2012, surpassing Android, which dropped to 37%.

More iOS traffic means more Apple devices in use at enterprises, which is likely to make them more attractive to cyber criminals.

And a significant majority of enterprises allow BYOD: A survey released in April by the SANS Institute found that 61% of more than 500 companies surveyed allowed BYOD. A press release announcing the survey included as part of its headline: "Lack of awareness, chaos pervades with BYOD."

The so-called "consumerization of IT" is an apparently unstoppable trend. And most businesses don't want to stop it, because of the advantages that collaboration and social networking with mobile devices can bring to the enterprise. Still, increasing security threats could undermine those advantages.

Blake Turrentine, CEO of HotWAN and trainer at Black Hat, has been a penetration tester for more than 12 years. His continuing mantra is, "most everything you do on a smartphone can and may be monitored," although he does qualify that by saying he believes Apple iOS devices that are kept up to date with the latest firmware are relatively secure.

Rachel Ratcliff Womack, a vice president with the digital security firm Stroz Friedberg, told The Bottom Line's Herb Weisbaum on MSNBC that most people carry both business and personal information on their mobile devices. "It brings those two worlds together in a very convenient package for criminals to target," she said.

And the damage malware can do is the same as on other devices: steal personal information, drain bank accounts and spy on users.

"[Yet] users may view these devices as eminently secure, when in reality they are just waiting to receive more attention from cyber criminals," James Lyne, director of technology strategies at the online security firm Sophos, told Weisbaum.

In the face of these impending threats, multiple security surveys find both employees and employers appear to be relatively blase about them. SANS reported that only 9% of companies participating in its survey said they were "fully aware" of all the devices accessing their networks. Another 50% were "vaguely or fairly" aware. Nearly a third of the companies said they had no management policy for employee mobile devices.

Some of this may be inevitable. Turrentine says he doubts that enterprises can control their employees' personal devices. "Users control their own phones," he says, acknowledging that this is "a big [security] hole." The proliferation of smartphones, alone with their ever-expanding capabilities means "the attack surface is expanded," he says, noting that Apple devices are prized because of their cutting-edge functionality.

And he agrees that security is not the priority it should be at all levels -- users, enterprise leaders and the manufacturers themselves. The pressure on the makers of devices is not for better security but more functionality. "They're racing so fast to come up with more capabilities, because the mobile market is changing so rapidly," he says.

Meanwhile, Mike Geide, senior researcher at Zscaler ThreatlabZ tells Network World that employees regularly try to bypass their companies' security policies, even using anonymous proxy servers to get to unauthorized web sites.

Turrentine says even relatively savvy smartphone users seem blissfully unaware of the ways they are exposing their confidential information. He says he visited a Verizon kiosk in a shopping mall and talked to some of the workers there who were doing things like, "downloading questionable third-party apps and also doing online banking."

The good news, he and others say, is that a solution is not terribly complicated. The best thing users can do is to make sure they have the latest versions of apps and the operating system of their device. Turrentine says the latest iOS is fairly secure, noting that it took the jailbreak community 10 months to break the iPad 2.

Beyond that, Lyne tells The Bottom Line that users should have a robust password, use encryption, and be very careful about what apps they install.